So, how’s your preparation going on for AWS Certified Security Specialty exam? Have you prepared yourself with Infrastructure Security domain, that has maximum weight i.e. 26% in the blueprint of AWS Security Specialty exam? Here we cover the topic “How to set right Inbound and Outbound rules for security groups and network access control lists?” that addresses the Infrastructure Security domain as highlighted in the AWS Blueprint for the exam guide. So, this article is an invaluable resource in your AWS Certified Security Specialty exam preparation.
For the 24*7 security of the VPC resources, it is recommended to use Security Groups and Network Access Control Lists. AWS NACLs act as a firewall for the associated subnets and control both the inbound and outbound traffic. So, it becomes very important to understand what are the right and most secure rules to be used for Security Groups and Network Access Control Lists (NACLs) for EC2 Instances in AWS. Let’s take a use case scenario to understand the problem and thus find the most effective solution.
As a Security Engineer, you need to design the Security Group and Network Access Control Lists rules for an EC2 Instance hosted in a public subnet in a Virtual Private Cloud (VPC). The instance needs to be accessed securely from an on-premise machine. The on-premise machine just needs to SSH into the Instance on port 22.
The networking details are given below
- IP Address of the On-premise machine – 220.127.116.11
- Public IP address of EC2 Instance – 18.104.22.168
- Private IP address of EC2 Instance – 172.31.38.223
Which of the following is the right set of rules which ensures a higher level of security for the connection? While determining the most secure and effective set of rules, you also need to ensure that the least number of rules are applied overall.
Solution: Set Right Inbound & Outbound Rules for Security Groups and Network Access Control Lists
If we visualize the architecture, this is what it looks like:
- Now the first point we need to consider is that we need not bother about the private IP address of the Instance since we are accessing the instance over the Internet
Now let’s look at the default security groups available for an Instance:
Now to change the rules, we need to understand the following
- The On-premise machine needs to make a connection on port 22 to the EC2 Instance. So, the incoming rules need to have one for port 22.
- Now, since SSH is a stateless protocol, we also need to ensure that there is a relevant Outbound rule. The EC2 Instance would connect to the on-premise machine on an ephemeral port (32768 – 65535)
- And here the source and destination is the on-premise machine with an IP address of 22.214.171.124
Hence, the rules which would need to be in place are as shown below:
Now, we need to apply the same reasoning to NACLs.
Let’s have a look at the default NACLs for a subnet:
Let us apply below-mentioned rules to NACL to address the problem.
- Allow incoming traffic on port 22 and outgoing on ephemeral ports (32768 – 65535).
- Allow source and destination as the public IP of the on-premise workstation for inbound & outbound settings respectively.
We would have below rules for NACL:
Other Related Resources:
- Consider the source and destination of the traffic.
- Consider both the Inbound and Outbound Rules.
- Always consider the most restrictive rules, it’s the best practice to apply the principle of least privilege while configuring Security Groups & NACL.
- And set right inbound and outbound rules for Security Groups and Network Access Control Lists.
So, here we’ve covered how you can set right inbound and outbound rules for Security Groups and Network Access Control Lists. Getting prepared with this topic will bring your AWS Certified Security Specialty exam preparation to the next level. If you think yourself fully prepared for the exam, give your preparation a check with AWS Certified Security Specialty Practice Tests. The Whizlabs practice test series comes with a detailed explanation to every question and thus help you find your weak areas and work on that.
So, join us today and enter into the world of great success!
- Exam tips on Google Cloud Certified Professional Cloud Architect - January 26, 2023
- Let’s begin you career in DevSecOps | An Exclusive Interview with DevSecOps Certified Expert – Andreas Horn - January 9, 2023
- 25 Free Question on AWS Certified SAP on AWS – Specialty Exam (PAS-C01) - December 19, 2022
- 7 pro tips to prepare for the AZ-500: Microsoft Azure Security Technologies Exam - November 14, 2022
- Preparation Guide on DVA-C01: AWS Certified Developer Associate Exam - November 8, 2022
- Preparation Guide on SK0-005: CompTIA Server+ Certification Exam - October 26, 2022
- Free Questions on Microsoft Azure AI Solution Exam AI-102 Certification - October 14, 2022
- Preparation Guide on PAS-C01: SAP on AWS Specialty Certification Exam - October 3, 2022